Certificates
Generate
Generate a CA certificate and key
openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -extensions v3_ca -nodes -keyout ca.key -out ca.pem
This should result in a certificate with X509v3 Basic Constraints set to CA:TRUE.
Generate a self-signed certificate and key
openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.pem
Generate a PKCS#10 X.509 certificate signing request
- Generate a private key:
-
openssl genrsa -out example.com.key 4096
- Produce a corresponding CSR:
-
openssl req -new -key example.com.key -out example.com.csr
- Review the CSR:
-
openssl req -in example.com.csr -noout -text
Generate a “CA”-signed certificate from a certificate signing request and “CA” certificate/key
openssl x509 -req -sha256 -days 365 -in example.com.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out example.com.pem
Display
Display in human-readable form the contents of a certificate in PEM format
openssl x509 -in example.com.pem -noout -text
Display in human-readable form the contents of a certificate in DER format
openssl x509 -in example.com.der -inform DER -noout -text
Display in human-readable form the contents of a certificate revocation list in DER format
openssl crl -in example.com.crl -inform DER -noout -text
Convert
Convert a PKCS#7 certificate into a X.509 certificate
openssl pkcs7 -print_certs -in example.com.p7p -out example.com.pem
Convert a certificate and private key into a PKCS#12 file
openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.pem -certfile ca.pem